Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi Cheng-Chun Tu Luis Chiang Vyas Sekar Rui Miao Minlan Yu
Type of applianceNumber Firewalls166 Intrusion detection127 Media gateways110 Load balancers67 Proxies66 VPN gateways45 WAN Optimizers44 Voice gateways11 Total Middleboxes636 Total routers~900 Why middleboxes? Data from a large enterprise Survey across 57 network operators Critical for security, performance, compliance But painful to manage 2
Why should SDN community care? 3 Aug ONF report – “integrate into production networks” – “APIs for functions market views as important” Survey on SDN adoption [Metzler 2012] – “use cases that justify deployment” – “add a focus on Layer 4 through Layer 7 functionality … change in the perceived value of SDN.” Middleboxes: Necessity and Opportunity for SDN
4 Goal: SDN + Middlebox integration Centralized Controller “ Flow ” FwdAction …… “ Flow ” FwdAction …… Can we achieve SDN-Middlebox integration: with existing SDN APIs? with unmodified middleboxes? Open APIs
Challenges in SDN-MB integration 5 S1 S2 S4 S3 Proxy IDS Firewall Pkt, S2—S4: IDS or Dst ? Resource constraints Traffic modifications Policy composition FirewallIDSProxy IDS1 = 50% IDS2 = 50% Are forwarding rules correct? Proxy may modify traffic Space for traffic split? Simple flow rules may not suffice!
Recap: Three main challenges Policy composition 6 Is there enough rule space? Correctness? Flow rules may not suffice New dimensions beyond Layer 2-3 tasks Traffic modifications Resource constraints
2= Post Firewall Composition Tag Processing State 7 Firewall Proxy IDS 1=None 3=Post IDS 4 = Post Proxy S2 S4 Use “state” tags in addition to header, interface info
Resource constraints Joint Optimization 8 Resource Manager Topology & Traffic Switch TCAM Middlebox Hardware Policy Spec Optimal & Feasible load balancing Theoretically hard, but have practical near-optimal heuristics
FW IDS Proxy Web Rule Generator (Processing state tags, Switch tunnels) Resource Manager (Scalable joint optimization) Modifications Handler (Infer flow correlations) NIMBLE System Overview Legacy Middleboxes OpenFlow-capable OpenFlow 1.0 FlowTag/TunnelAction …… FlowTag/TunnelAction …… POX extensions OpenvSwitch
Benefits: Load balancing 10 Nimble Today 4-7X better load balancing without modifying middleboxes Low overhead: 0.1s to reconfigure after failure/overload
SDN + Middlebox Convergence 11 High OpEx Inflexible High CapEx COMB Consolidation [NSDI ‘12] ONS Poster APLOMB Cloud Outsourcing [SIGCOMM’12] NIMBLE Practical Integration [today’s talk] Middlebox pain points